Twenty Year Anniversary
Showing 1 - 16 of 16 RSS Feed

Files from zx2c4

First Active2011-03-10
Last Active2018-03-30
glibc LD_AUDIT libmemusage.so RHEL-Based Arbitrary DSO Load Privilege Escalation
Posted Mar 30, 2018
Authored by Marco Ivaldi, Tavis Ormandy, Todor Donev, zx2c4, Brendan Coles | Site metasploit.com

This Metasploit module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker with libmemusage.so library.

tags | exploit, root
systems | linux
advisories | CVE-2010-3847, CVE-2010-3856
MD5 | 82d002207d92e79c81d147d0cbc73594
glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation
Posted Feb 10, 2018
Authored by Marco Ivaldi, Tavis Ormandy, Todor Donev, zx2c4, Brendan Coles | Site metasploit.com

This Metasploit module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker. glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not properly restrict use of the LD_AUDIT environment variable when loading setuid executables. This allows loading arbitrary shared objects from the trusted library search path with the privileges of the suid user. This Metasploit module uses LD_AUDIT to load the libpcprofile.so shared object, distributed with some versions of glibc, and leverages arbitrary file creation functionality in the library constructor to write a root-owned world-writable file to a system trusted search path (usually /lib). The file is then overwritten with a shared object then loaded with LD_AUDIT resulting in arbitrary code execution. This Metasploit module has been tested successfully on glibc version 2.11.1 on Ubuntu 10.04 x86_64 and version 2.7 on Debian 5.0.4 i386. RHEL 5 is reportedly affected, but untested. Some glibc distributions do not contain the libpcprofile.so library required for successful exploitation.

tags | exploit, arbitrary, root, code execution
systems | linux, debian, ubuntu
advisories | CVE-2010-3847, CVE-2010-3856
MD5 | 2bf9e1106acf9e1f0a7b618fe7f2da3f
Gentoo QEMU Local Privilege Escalation
Posted Dec 17, 2015
Authored by zx2c4

Some distributions make virtfs-proxy-helper from QEMU either SUID or give it CAP_CHOWN fs capabilities. This is a terrible idea. While virtfs-proxy-helper makes some sort of flimsy check to make sure its socket path doesn't already exist, it is vulnerable to TOCTOU. This exploit should spawn a root shell, eventually, on vulnerable systems.

tags | exploit, shell, root
advisories | CVE-2015-8556
MD5 | e37a54d0b5f93a8c1e4770a98e1e8cb2
WordPress W3 Total Cache Data Disclosure
Posted Dec 24, 2012
Authored by zx2c4

This is an exploit for W3 Total Cache called W3 Total Fail that works by attempting to guess SQL queries that might contain important password hashes.

tags | exploit
MD5 | fd227400a61545694be5ef12f6ca1b6c
Viscosity OpenVPN OS X Local Root
Posted Aug 13, 2012
Authored by zx2c4

Viscosity OpenVPN client for Mac OS X suffers from a local root command execution vulnerability due to a suid binary executing site.py.

tags | exploit, local, root
systems | apple, osx
MD5 | 310eead57ed8a1879d25cfaf62404d5b
Tunnel Blick Race Condition Local Root
Posted Aug 12, 2012
Authored by zx2c4

Tunnel Blick suffers from a race condition that allows for local root execution.

tags | exploit, local, root
MD5 | 0870a65fba1991804a8eda167bec3000
Tunnel Blick Local Root Exploit Version 2
Posted Aug 11, 2012
Authored by zx2c4

Pwnnel-Blicker is a second local root exploit for Tunnel Blick OS X OpenVPN manager.

tags | exploit, local, root
systems | apple, osx
MD5 | 00ab722f2ba1b1ee134371e96d761d4a
Linux Local Root Via SUID /prod/pid/mem Write
Posted Jan 23, 2012
Authored by zx2c4

This is the Mempodipper local root exploit for Linux. /proc/pid/mem is an interface for reading and writing, directly, process memory by seeking around with the same addresses as the process's virtual memory space. In 2.6.39, the protections against unauthorized access to /proc/pid/mem were deemed sufficient, and so the prior #ifdef that prevented write support for writing to arbitrary process memory was removed. Anyone with the correct permissions could write to process memory. It turns out, of course, that the permissions checking was done poorly. This means that all Linux kernels greater than and equal to 2.6.39 are vulnerable.

tags | exploit, arbitrary, kernel, local, root
systems | linux
advisories | CVE-2012-0056
MD5 | 50b274079f83341f00a4ec625f3359db
OpenOffice.org Xterm Spawn
Posted Nov 15, 2011
Authored by zx2c4

This is an amusing method of spawning an xterm using a macro in OpenOffice.org when using a Linux box.

tags | exploit
systems | linux
MD5 | 7a067777b40660c6917a9b8490577699
glibc LD_AUDIT Privilege Escalation
Posted Nov 10, 2011
Authored by zx2c4

glibc LD_AUDIT arbitrary DSO load local root exploit that leverages a race condition to escalate privileges.

tags | exploit, arbitrary, local, root
advisories | CVE-2010-3856
MD5 | 040e70e9bcf90b836fd3dd059e51a15e
Calibre E-Book Reader Local Root Race Condition
Posted Nov 3, 2011
Authored by Dan Rosenberg, zx2c4

Calibre E-Book Reader local root race condition exploit that subverts recent changes preventing symlinks and checking path prefixes.

tags | exploit, local, root
MD5 | d7de7d66784b296235b391ff4165a7ca
Calibre E-Book Reader Local Root
Posted Nov 3, 2011
Authored by zx2c4

Calibre E-Book Reader local root exploit that uses the mount helper to mount a vfat filesystem over /etc and then tinkers with /etc/passwd to make the root password toor temporarily.

tags | exploit, local, root
MD5 | 2788d09f0cb78cd65e4b0baa83886e47
Calibre E-Book Reader Local Root
Posted Nov 2, 2011
Authored by zx2c4

Calibre E-Book Reader local root exploit that leverages PATH manipulation and a suid mount helper.

tags | exploit, local, root
MD5 | 5856dee869f4b3b8329ee45b64343177
PolicyKit 0.101 Privilege Escalation
Posted Oct 5, 2011
Authored by zx2c4

PolicyKit versions 0.101 and below local privilege escalation exploit.

tags | exploit, local
advisories | CVE-2011-1485
MD5 | 2f9af8cc142e7792fe8eda4a952fdd24
Linux Kernel 2.6 TCP_MAXSEG Denial Of Service
Posted Mar 10, 2011
Authored by zx2c4

Linux kernel versions prior to 2.6.37-rc2 TCP_MAXSEG kernel panic denial of service exploit that triggers a divide by zero error in net/ipv4/tcp.c.

tags | exploit, denial of service, kernel, tcp
systems | linux
advisories | CVE-2010-4165
MD5 | c004656f07ac5706e1e61d31039304ad
FreeBSD 6.4 Netgraph Privilege Escalation
Posted Mar 10, 2011
Authored by zx2c4

FreeBSD versions 6.4 and below Netgraph local privilege escalation exploit.

tags | exploit, local
systems | freebsd
advisories | CVE-2008-5736
MD5 | 584297acff886b60a6c2d0e54c6829f0
Page 1 of 1
Back1Next

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

July 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    1 Files
  • 2
    Jul 2nd
    26 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    11 Files
  • 5
    Jul 5th
    13 Files
  • 6
    Jul 6th
    4 Files
  • 7
    Jul 7th
    4 Files
  • 8
    Jul 8th
    1 Files
  • 9
    Jul 9th
    16 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    32 Files
  • 12
    Jul 12th
    22 Files
  • 13
    Jul 13th
    15 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    1 Files
  • 16
    Jul 16th
    21 Files
  • 17
    Jul 17th
    10 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close